[rb-general] [jvm] introducing reproducible-central
Hervé Boutemy
hboutemy at apache.org
Thu Jan 17 17:45:19 CET 2019
Hi,
It seems I was not clear on the intent: I'm not dismissing anything.
I'm just trying to figure out how to rebuild Maven Central content in a way
that has a chance to get the same binary result, starting on a few simple
examples done by hand = a few projects, in all their past versions.
Figuring out the command to run is one aspect.
But I'm also trying to figure out which build environment I must use for each
version of each project: this is where it is tricky.
If you think in-toto can help, don't hesitate to show how: I read the site and
could not see what I could get from it, be it at the current step (discovering
how to write the rebuild instructions for a human) or later when trying to
automate and extend
Regards,
Hervé
Le jeudi 17 janvier 2019, 16:46:02 CET Santiago Torres a écrit :
> Hi,
>
> On Thu, Jan 17, 2019 at 10:04:01AM +0100, Hervé Boutemy wrote:
> > Hi,
> >
> > After the work on jvm buildinfo [1], the discussion on rebuilder
> > attestations showed that Maven central could be seen as some sort of
> > Linux distribution: it has some specific aspects (multi-platform,
> > multi-version for each project), but it shares the fact that someone must
> > write a rebuild specification for everything to be able to automatically
> > execute rebuilds, and these rebuilds will generate buildinfo.
>
> I'm a little surprised that you dismissed in-toto for this specific
> reason. in-toto is being used today to create platform-agnostic
> supply-chain attestations for everything, from single files to whole
> container images.
>
> I'm not against re-inventing the wheel or having competing ideas, but it
> seems to me that avoiding xkcd 927 would be a good idea.
>
> Thanks,
> -Santiago
More information about the rb-general
mailing list